github.com/pallets/click
Submitted 7/13/2026, 9:35:09 PM · Status: ok
Risk grade
D
77 / 100
Findings
31
0 critical5 high21 medium2 low3 info0 on CISA KEV0ATT&CK
Showing 31 of 31 findings
Findings
- Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoSgrypeCVE-2026-54283EPSS 0.3%
- Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on WindowsgrypeCVE-2026-48818EPSS 0.4%
- urllib3: Decompression-bomb safeguards bypassed in parts of the streaming APIgrypeCVE-2026-44432EPSS 0.7%
- urllib3: Sensitive headers forwarded across origins in proxied low-level redirectsgrypeCVE-2026-44431EPSS 0.5%
- the `errors` argument to Popen is only available on Python 3.6+semgrepsrc/click/_termui_impl.py:531
- Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fixgrypeCVE-2026-45409EPSS 0.4%
- pytest has vulnerable tmpdir handlinggrypeCVE-2025-71176EPSS 0.1%
- Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checksgrypeCVE-2026-48710EPSS 1.4%
- Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`grypeCVE-2026-48817EPSS 0.2%
- uv is vulnerable to arbitrary file write through entry point namesgrype
- Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fixThis is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time…osv-scannerCVE-2026-45409
- PYSEC-2026-141urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.osv-scannerCVE-2026-44431
- PYSEC-2026-142urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w…osv-scannerCVE-2026-44432
- PYSEC-2026-215Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t…osv-scannerCVE-2026-45409
- PYSEC-2026-248Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin wi…osv-scannerCVE-2026-54282
- PYSEC-2026-249Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form…osv-scannerCVE-2026-54283
- pytest has vulnerable tmpdir handlingpytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.osv-scannerCVE-2025-71176
- Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks### Summary In affected versions, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `reque…osv-scannerCVE-2026-48710
- Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through `Route(…osv-scannerCVE-2026-48817
- Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can therefor…osv-scannerCVE-2026-54283
- Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows### Summary When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the proc…osv-scannerCVE-2026-48818
- Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@goog…osv-scannerCVE-2026-54282
- urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API### Impact urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.7.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. …osv-scannerCVE-2026-44432
- urllib3: Sensitive headers forwarded across origins in proxied low-level redirects### Impact When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()`, sensitive headers — `Authorization`, `Cookie`, and `Proxy-Authorization` (defined in `Retry.DEF…osv-scannerCVE-2026-44431
- uv vulnerable to arbitrary file deletion through RECORD entries## Impact Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall. uv uses the REC…osv-scanner
- Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.semgrepsrc/click/parser.py:520
- Starlette: Unvalidated request path concatenated into authority poisons request.url.hostnamegrypeCVE-2026-54282EPSS 0.2%
- uv vulnerable to arbitrary file deletion through RECORD entriesgrype
This report is public.